I'm looking for best practices documentation that addresses Internet access from internal servers. What's considered the best practice? Allow ports 80 and 443 through the firewall from internal servers (not Internet facing), or block? Best practice would have servers updated/patched from local server within their internal network segment. I found documentation on TechNet that covers domain controllers, but nothing that mentions everything else. TechNet at least says domain controllers should have no access through the firewall to the Internet. My concern now is the other servers installed on the inside. Not the Internet facing servers installed within the DMZ, but servers installed on the inside supporting internal operations only. Does anyone know where I can find documentation from a well-known source?